Where should an auditor begin a full-company internal control audit?
Begin by defining the engagement objective and scope. "Full-company controls audit" is too broad unless it is translated into a specific purpose, such as documentation, design assessment, operating effectiveness testing, or readiness review. Once the objective is clear, perform a risk assessment to decide which processes deserve first-wave coverage.
The next step is process mapping. Identify major processes, owners, objectives, risks, systems, evidence, and existing controls. Then perform walkthroughs before testing. Walkthroughs show whether the controls are real, assigned, evidenced, and connected to the risk.
For the CIA exam, the strongest answer starts with scope and risk. It does not jump straight into sample testing or try to document every control in the company with equal depth.
Master CIA Part 2 with our CIA Course
45 lessons · 90+ hours· Expert instruction
Related Questions
What should an auditor do if a supervisor weakens a supported finding?
How should auditors prepare for a technical exit meeting?
When should audit quality concerns be escalated beyond the engagement team?
How does business knowledge affect internal audit quality?
Does a full internal controls audit require testing every control?
Related Articles
Join the Discussion
Ask questions and get expert answers.